Information Security vs. Cybersecurity, Part 1

by Brent Kirkpatrick

(Date Published: 2/8/2018.)

Information security is not cybersecurity.

Are your efforts designed around who-knows-what or around who-has-access-to-what? Suppose permissions are left open, accidentally, to some important data, but there is no evidence that anyone accessed it. Is this a failure of security?

This example would be a failure of cybersecurity, if your security policy strictly lists (or even implies) who should be allowed access. It is not a failure of information security, if only people on the allowed list accessed the data.

Do you trust your access logs? If you trust your access logs, you would rule this example a close call, but not a breach. If you do not trust your access logs, perhaps they were hacked or buggy, then you would rule this a breach.